Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe
-
Size
96KB
-
MD5
f4c204edae5fa9f9f1b622887c292f93
-
SHA1
def84a0f5e56f70939e9c3a74a4a93d2312850da
-
SHA256
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46
-
SHA512
9eb633ddc01a9b63a56505bb3bf832c9a281fbbd01f9ef9f559e5a7b3ddb574a8730e907db8de6ef35a791eb3fc6d93c6211947944a4610331728b732a61870b
-
SSDEEP
1536:jC0fjvdXplFV+ePVqWpUs0YBB2Ln7RZObZUUWaegPYAm:jC0fjlX5VVHpUs0qanClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fpmbfbgo.exeIdicbbpi.exeLbafdlod.exeNjfjnpgp.exePnbojmmp.exeBniajoic.exeColpld32.exePpkjac32.exeAcnlgajg.exeIjehdl32.exeIacjjacb.exeNnjicjbf.exeOlbogqoe.exeBhkeohhn.exeAgolnbok.exeCinafkkd.exeDinneo32.exeHjgehgnh.exeCiagojda.exeGmpcgace.exeNkkmgncb.exeAhmefdcp.exeIoeclg32.exeApgagg32.exeNqjaeeog.exeNhgnaehm.exeDnpciaef.exeHbofmcij.exeKeqkofno.exeOeaqig32.exeBcbfbp32.exeIdkpganf.exeEheglk32.exeGdcjpncm.exePohhna32.exeAomnhd32.exeGdjqamme.exeKkgahoel.exeNnoiio32.exeBcpimq32.exeDhpgfeao.exeFamope32.exeMcckcbgp.exePfnmmn32.exeEemnnn32.exeHmdkjmip.exeAcicla32.exeCceogcfj.exeLpflkb32.exeNihcog32.exeKddomchg.exeAdnpkjde.exeJoidhh32.exeNmabjfek.exeOnlahm32.exeOiafee32.exeAjckilei.exeLkjjma32.exeDfmeccao.exeEaphjp32.exeEhlmljkm.exeGjbpne32.exeBacihmoo.exeLlbqfe32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkjac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgajg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinafkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciagojda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbfbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcjpncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjqamme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpgfeao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpflkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmeccao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaphjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbpne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x000300000001fdca-3698.dat family_bruteratel behavioral1/files/0x000400000002045c-4044.dat family_bruteratel behavioral1/files/0x0003000000020973-5260.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Ehkhaqpk.exeEpbpbnan.exeEijdkcgn.exeEhpalp32.exeEoiiijcc.exeFkpjnkig.exeFpmbfbgo.exeFamope32.exeFcnkhmdp.exeFqalaa32.exeFcphnm32.exeFfaaoh32.exeFmkilb32.exeGhajacmo.exeGolbnm32.exeGmpcgace.exeGnaooi32.exeGgicgopd.exeGoplilpf.exeGbohehoj.exeGkglnm32.exeGcbabpcf.exeGgnmbn32.exeHjlioj32.exeHjofdi32.exeHmmbqegc.exeHfegij32.exeHmoofdea.exeHfhcoj32.exeHldlga32.exeHcldhnkk.exeHmdhad32.exeHneeilgj.exeIikifegp.exeIbcnojnp.exeIeajkfmd.exeIllbhp32.exeIhbcmaje.exeIlnomp32.exeImokehhl.exeIdicbbpi.exeIjclol32.exeIdkpganf.exeIjehdl32.exeJdnmma32.exeJkhejkcq.exeJliaac32.exeJdpjba32.exeJfofol32.exeJmhnkfpa.exeJojkco32.exeJbefcm32.exeJioopgef.exeJhbold32.exeJbhcim32.exeJefpeh32.exeJialfgcc.exeJkchmo32.exeJondnnbk.exeKdklfe32.exeKhghgchk.exeKncaojfb.exeKekiphge.exeKkgahoel.exepid Process 2088 Ehkhaqpk.exe 1980 Epbpbnan.exe 2440 Eijdkcgn.exe 2836 Ehpalp32.exe 2828 Eoiiijcc.exe 2296 Fkpjnkig.exe 2668 Fpmbfbgo.exe 2688 Famope32.exe 1268 Fcnkhmdp.exe 2600 Fqalaa32.exe 1668 Fcphnm32.exe 1636 Ffaaoh32.exe 2888 Fmkilb32.exe 2208 Ghajacmo.exe 556 Golbnm32.exe 2596 Gmpcgace.exe 1600 Gnaooi32.exe 980 Ggicgopd.exe 1572 Goplilpf.exe 1640 Gbohehoj.exe 2568 Gkglnm32.exe 2256 Gcbabpcf.exe 2460 Ggnmbn32.exe 948 Hjlioj32.exe 2112 Hjofdi32.exe 2696 Hmmbqegc.exe 2176 Hfegij32.exe 2148 Hmoofdea.exe 2356 Hfhcoj32.exe 2240 Hldlga32.exe 2740 Hcldhnkk.exe 2500 Hmdhad32.exe 2952 Hneeilgj.exe 2664 Iikifegp.exe 1828 Ibcnojnp.exe 2672 Ieajkfmd.exe 1116 Illbhp32.exe 1952 Ihbcmaje.exe 2884 Ilnomp32.exe 3004 Imokehhl.exe 1784 Idicbbpi.exe 1092 Ijclol32.exe 944 Idkpganf.exe 1216 Ijehdl32.exe 1228 Jdnmma32.exe 1896 Jkhejkcq.exe 2180 Jliaac32.exe 2312 Jdpjba32.exe 2496 Jfofol32.exe 2572 Jmhnkfpa.exe 2396 Jojkco32.exe 2160 Jbefcm32.exe 1912 Jioopgef.exe 2924 Jhbold32.exe 2944 Jbhcim32.exe 2784 Jefpeh32.exe 2444 Jialfgcc.exe 2284 Jkchmo32.exe 1764 Jondnnbk.exe 2040 Kdklfe32.exe 2424 Khghgchk.exe 2976 Kncaojfb.exe 3000 Kekiphge.exe 2224 Kkgahoel.exe -
Loads dropped DLL 64 IoCs
Processes:
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exeEhkhaqpk.exeEpbpbnan.exeEijdkcgn.exeEhpalp32.exeEoiiijcc.exeFkpjnkig.exeFpmbfbgo.exeFamope32.exeFcnkhmdp.exeFqalaa32.exeFcphnm32.exeFfaaoh32.exeFmkilb32.exeGhajacmo.exeGolbnm32.exeGmpcgace.exeGnaooi32.exeGgicgopd.exeGoplilpf.exeGbohehoj.exeGkglnm32.exeGcbabpcf.exeGgnmbn32.exeHjlioj32.exeHjofdi32.exeHmmbqegc.exeHfegij32.exeHmoofdea.exeHfhcoj32.exeHldlga32.exeHcldhnkk.exepid Process 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 2088 Ehkhaqpk.exe 2088 Ehkhaqpk.exe 1980 Epbpbnan.exe 1980 Epbpbnan.exe 2440 Eijdkcgn.exe 2440 Eijdkcgn.exe 2836 Ehpalp32.exe 2836 Ehpalp32.exe 2828 Eoiiijcc.exe 2828 Eoiiijcc.exe 2296 Fkpjnkig.exe 2296 Fkpjnkig.exe 2668 Fpmbfbgo.exe 2668 Fpmbfbgo.exe 2688 Famope32.exe 2688 Famope32.exe 1268 Fcnkhmdp.exe 1268 Fcnkhmdp.exe 2600 Fqalaa32.exe 2600 Fqalaa32.exe 1668 Fcphnm32.exe 1668 Fcphnm32.exe 1636 Ffaaoh32.exe 1636 Ffaaoh32.exe 2888 Fmkilb32.exe 2888 Fmkilb32.exe 2208 Ghajacmo.exe 2208 Ghajacmo.exe 556 Golbnm32.exe 556 Golbnm32.exe 2596 Gmpcgace.exe 2596 Gmpcgace.exe 1600 Gnaooi32.exe 1600 Gnaooi32.exe 980 Ggicgopd.exe 980 Ggicgopd.exe 1572 Goplilpf.exe 1572 Goplilpf.exe 1640 Gbohehoj.exe 1640 Gbohehoj.exe 2568 Gkglnm32.exe 2568 Gkglnm32.exe 2256 Gcbabpcf.exe 2256 Gcbabpcf.exe 2460 Ggnmbn32.exe 2460 Ggnmbn32.exe 948 Hjlioj32.exe 948 Hjlioj32.exe 2112 Hjofdi32.exe 2112 Hjofdi32.exe 2696 Hmmbqegc.exe 2696 Hmmbqegc.exe 2176 Hfegij32.exe 2176 Hfegij32.exe 2148 Hmoofdea.exe 2148 Hmoofdea.exe 2356 Hfhcoj32.exe 2356 Hfhcoj32.exe 2240 Hldlga32.exe 2240 Hldlga32.exe 2740 Hcldhnkk.exe 2740 Hcldhnkk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kjmnjkjd.exeOpfegp32.exeFkcilc32.exeGlbaei32.exeHldlga32.exeGecpnp32.exeNameek32.exePljlbf32.exeHegpjaac.exeBnochnpm.exeGhajacmo.exeOekjjl32.exeBqmpdioa.exeJnmiag32.exeLbafdlod.exeApmcefmf.exeGgagmjbq.exeJhahanie.exeFeddombd.exeHqgddm32.exeEhkhaqpk.exeJdpjba32.exeNkkmgncb.exeOjeobm32.exeIgebkiof.exeLfoojj32.exeMgedmb32.exeFaonom32.exeCaifjn32.exeGpjkeoha.exeIpjdameg.exeJcqlkjae.exeCnmfdb32.exeEheglk32.exeEbckmaec.exeLibjncnc.exeMfmndn32.exeAhbekjcf.exeJbnjhh32.exeLdheebad.exeOioipf32.exeBniajoic.exeAclpaali.exeGpidki32.exeOibmpl32.exeDfpaic32.exeBlkjkflb.exeKhgkpl32.exeJdnmma32.exeJijokbfp.exeQemldifo.exeAgihgp32.exe3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exeAoojnc32.exeKalipcmb.exeIlcalnii.exeLegaoehg.exeJpgmpk32.exeNhjjgd32.exeApgagg32.exeKpojkp32.exeIakino32.exeMbcoio32.exedescription ioc Process File created C:\Windows\SysWOW64\Kpgffe32.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Cdiedagc.dll Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Famaimfe.exe Fkcilc32.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Glbaei32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Hldlga32.exe File opened for modification C:\Windows\SysWOW64\Gpidki32.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe Nameek32.exe File opened for modification C:\Windows\SysWOW64\Pohhna32.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Hgflflqg.exe Hegpjaac.exe File created C:\Windows\SysWOW64\Bqmpdioa.exe Bnochnpm.exe File created C:\Windows\SysWOW64\Kfnpea32.dll Ghajacmo.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Egdpmo32.dll Bqmpdioa.exe File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Chdndgcj.dll Lbafdlod.exe File created C:\Windows\SysWOW64\Aclpaali.exe Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Gagkjbaf.exe Ggagmjbq.exe File created C:\Windows\SysWOW64\Jokqnhpa.exe Jhahanie.exe File created C:\Windows\SysWOW64\Folhgbid.exe Feddombd.exe File created C:\Windows\SysWOW64\Hcepqh32.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Ehkhaqpk.exe File created C:\Windows\SysWOW64\Jfofol32.exe Jdpjba32.exe File opened for modification C:\Windows\SysWOW64\Nnjicjbf.exe Nkkmgncb.exe File created C:\Windows\SysWOW64\Mphaobfe.dll Ojeobm32.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Igebkiof.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Mqnifg32.exe Mgedmb32.exe File created C:\Windows\SysWOW64\Fijbco32.exe Faonom32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Gkoobhhg.exe Gpjkeoha.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Ipjdameg.exe File created C:\Windows\SysWOW64\Khljoh32.dll Jcqlkjae.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Ekdchf32.exe Eheglk32.exe File created C:\Windows\SysWOW64\Elkofg32.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Mcqombic.exe Mfmndn32.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Jelfdc32.exe Jbnjhh32.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Olmela32.exe Oioipf32.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Bniajoic.exe File created C:\Windows\SysWOW64\Ogmkng32.dll Aclpaali.exe File created C:\Windows\SysWOW64\Gcgqgd32.exe Gpidki32.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Oibmpl32.exe File opened for modification C:\Windows\SysWOW64\Dinneo32.exe Dfpaic32.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Mmofpf32.dll Khgkpl32.exe File created C:\Windows\SysWOW64\Jkhejkcq.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Nmlkfoig.dll Oibmpl32.exe File created C:\Windows\SysWOW64\Looghene.dll Jijokbfp.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qemldifo.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Agihgp32.exe File opened for modification C:\Windows\SysWOW64\Ehkhaqpk.exe 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe File created C:\Windows\SysWOW64\Anbkipok.exe Aoojnc32.exe File created C:\Windows\SysWOW64\Kpojkp32.exe Kalipcmb.exe File created C:\Windows\SysWOW64\Jbnjhh32.exe Ilcalnii.exe File opened for modification C:\Windows\SysWOW64\Lgingm32.exe Legaoehg.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Apgagg32.exe File created C:\Windows\SysWOW64\Iglhhc32.dll Kpojkp32.exe File created C:\Windows\SysWOW64\Igebkiof.exe Iakino32.exe File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe Mbcoio32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6980 6956 WerFault.exe 612 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aoojnc32.exeDokfme32.exeGgagmjbq.exeGfnjne32.exeHqnapb32.exeMphiqbon.exeGmpcgace.exeIllbhp32.exeBfoeil32.exeBhdhefpc.exeKbjbge32.exeEhkhaqpk.exePohhna32.exeGdcjpncm.exeIfpcchai.exeLkggmldl.exeOfqmcj32.exeLfhhjklc.exeMfgnnhkc.exeBlfapfpg.exeKoflgf32.exeKnmdeioh.exeLjfapjbi.exeLgngbmjp.exePpkjac32.exeGgicgopd.exeApppkekc.exeJfofol32.exeKffldlne.exePdgmlhha.exeBmbgfkje.exeDmgmpnhl.exeFamope32.exeOjmpooah.exeOidiekdn.exeEkdchf32.exeHgflflqg.exeBoifga32.exeHmmbqegc.exeHnpdcf32.exeNppofado.exeCglalbbi.exeHdpcokdo.exeIdkpganf.exeIpjdameg.exeLnecigcp.exeImbjcpnn.exeKpgffe32.exeOibmpl32.exeQkielpdf.exeHcepqh32.exeKljdkpfl.exeCfanmogq.exeJmfcop32.exeLbafdlod.exeIgebkiof.exeMmccqbpm.exeMbchni32.exeFcphnm32.exeFmkilb32.exeBkhhhd32.exeDnpciaef.exeGckdgjeb.exeHnnhngjf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggagmjbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdhefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcjpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfapfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgflflqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe -
Modifies registry class 64 IoCs
Processes:
Mclebc32.exePacajg32.exePicojhcm.exeBnfddp32.exeNgdjaofc.exeAknngo32.exeDaaenlng.exeOmhhke32.exeFdiqpigl.exeIhbcmaje.exePhnpagdp.exeHmoofdea.exeCehhdkjf.exeNpjlhcmd.exeHqnapb32.exeNnjicjbf.exeBhkeohhn.exeKeqkofno.exeAahfdihn.exeIeajkfmd.exeGghmmilh.exeHjlbdc32.exeKalipcmb.exeNknimnap.exeLdokfakl.exePpkjac32.exeAclpaali.exeJbefcm32.exeLgingm32.exeHqkmplen.exeJnagmc32.exeKpgionie.exeJfofol32.exeKcgphp32.exePbagipfi.exeDpeiligo.exeBbhccm32.exeEicpcm32.exeEijdkcgn.exeFibcoalf.exeGnphdceh.exeOhipla32.exeFkcilc32.exeGamnhq32.exeCcmpce32.exeCepipm32.exeMcfemmna.exeLcjlnpmo.exeBgdkkc32.exeKhgkpl32.exeHbggif32.exeKnmdeioh.exeBnlgbnbp.exeGagkjbaf.exeBlfapfpg.exeDmkcil32.exeFccglehn.exePohhna32.exeCncmcm32.exeDphfbiem.exeGqlhkofn.exeKjmnjkjd.exeObhdcanc.exePmehdh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcdfdcb.dll" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picojhcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknngo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hmoofdea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjicjbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Keqkofno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giqhcmil.dll" Ieajkfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghmmilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmpfa32.dll" Ldokfakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppkjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmmlqlp.dll" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpeiligo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbid32.dll" Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibcoalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnphdceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohipla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpfip32.dll" Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjqf32.dll" Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klncqmjg.dll" Hbggif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamhcmdo.dll" Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgojdj32.dll" Gagkjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boddiidc.dll" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keclgbfi.dll" Fccglehn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmehdh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exeEhkhaqpk.exeEpbpbnan.exeEijdkcgn.exeEhpalp32.exeEoiiijcc.exeFkpjnkig.exeFpmbfbgo.exeFamope32.exeFcnkhmdp.exeFqalaa32.exeFcphnm32.exeFfaaoh32.exeFmkilb32.exeGhajacmo.exeGolbnm32.exedescription pid Process procid_target PID 2064 wrote to memory of 2088 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 30 PID 2064 wrote to memory of 2088 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 30 PID 2064 wrote to memory of 2088 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 30 PID 2064 wrote to memory of 2088 2064 3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe 30 PID 2088 wrote to memory of 1980 2088 Ehkhaqpk.exe 31 PID 2088 wrote to memory of 1980 2088 Ehkhaqpk.exe 31 PID 2088 wrote to memory of 1980 2088 Ehkhaqpk.exe 31 PID 2088 wrote to memory of 1980 2088 Ehkhaqpk.exe 31 PID 1980 wrote to memory of 2440 1980 Epbpbnan.exe 32 PID 1980 wrote to memory of 2440 1980 Epbpbnan.exe 32 PID 1980 wrote to memory of 2440 1980 Epbpbnan.exe 32 PID 1980 wrote to memory of 2440 1980 Epbpbnan.exe 32 PID 2440 wrote to memory of 2836 2440 Eijdkcgn.exe 33 PID 2440 wrote to memory of 2836 2440 Eijdkcgn.exe 33 PID 2440 wrote to memory of 2836 2440 Eijdkcgn.exe 33 PID 2440 wrote to memory of 2836 2440 Eijdkcgn.exe 33 PID 2836 wrote to memory of 2828 2836 Ehpalp32.exe 34 PID 2836 wrote to memory of 2828 2836 Ehpalp32.exe 34 PID 2836 wrote to memory of 2828 2836 Ehpalp32.exe 34 PID 2836 wrote to memory of 2828 2836 Ehpalp32.exe 34 PID 2828 wrote to memory of 2296 2828 Eoiiijcc.exe 35 PID 2828 wrote to memory of 2296 2828 Eoiiijcc.exe 35 PID 2828 wrote to memory of 2296 2828 Eoiiijcc.exe 35 PID 2828 wrote to memory of 2296 2828 Eoiiijcc.exe 35 PID 2296 wrote to memory of 2668 2296 Fkpjnkig.exe 36 PID 2296 wrote to memory of 2668 2296 Fkpjnkig.exe 36 PID 2296 wrote to memory of 2668 2296 Fkpjnkig.exe 36 PID 2296 wrote to memory of 2668 2296 Fkpjnkig.exe 36 PID 2668 wrote to memory of 2688 2668 Fpmbfbgo.exe 37 PID 2668 wrote to memory of 2688 2668 Fpmbfbgo.exe 37 PID 2668 wrote to memory of 2688 2668 Fpmbfbgo.exe 37 PID 2668 wrote to memory of 2688 2668 Fpmbfbgo.exe 37 PID 2688 wrote to memory of 1268 2688 Famope32.exe 38 PID 2688 wrote to memory of 1268 2688 Famope32.exe 38 PID 2688 wrote to memory of 1268 2688 Famope32.exe 38 PID 2688 wrote to memory of 1268 2688 Famope32.exe 38 PID 1268 wrote to memory of 2600 1268 Fcnkhmdp.exe 39 PID 1268 wrote to memory of 2600 1268 Fcnkhmdp.exe 39 PID 1268 wrote to memory of 2600 1268 Fcnkhmdp.exe 39 PID 1268 wrote to memory of 2600 1268 Fcnkhmdp.exe 39 PID 2600 wrote to memory of 1668 2600 Fqalaa32.exe 40 PID 2600 wrote to memory of 1668 2600 Fqalaa32.exe 40 PID 2600 wrote to memory of 1668 2600 Fqalaa32.exe 40 PID 2600 wrote to memory of 1668 2600 Fqalaa32.exe 40 PID 1668 wrote to memory of 1636 1668 Fcphnm32.exe 41 PID 1668 wrote to memory of 1636 1668 Fcphnm32.exe 41 PID 1668 wrote to memory of 1636 1668 Fcphnm32.exe 41 PID 1668 wrote to memory of 1636 1668 Fcphnm32.exe 41 PID 1636 wrote to memory of 2888 1636 Ffaaoh32.exe 42 PID 1636 wrote to memory of 2888 1636 Ffaaoh32.exe 42 PID 1636 wrote to memory of 2888 1636 Ffaaoh32.exe 42 PID 1636 wrote to memory of 2888 1636 Ffaaoh32.exe 42 PID 2888 wrote to memory of 2208 2888 Fmkilb32.exe 43 PID 2888 wrote to memory of 2208 2888 Fmkilb32.exe 43 PID 2888 wrote to memory of 2208 2888 Fmkilb32.exe 43 PID 2888 wrote to memory of 2208 2888 Fmkilb32.exe 43 PID 2208 wrote to memory of 556 2208 Ghajacmo.exe 44 PID 2208 wrote to memory of 556 2208 Ghajacmo.exe 44 PID 2208 wrote to memory of 556 2208 Ghajacmo.exe 44 PID 2208 wrote to memory of 556 2208 Ghajacmo.exe 44 PID 556 wrote to memory of 2596 556 Golbnm32.exe 45 PID 556 wrote to memory of 2596 556 Golbnm32.exe 45 PID 556 wrote to memory of 2596 556 Golbnm32.exe 45 PID 556 wrote to memory of 2596 556 Golbnm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe"C:\Users\Admin\AppData\Local\Temp\3973aed8c41440c3b39d6c25adc1aa5dc7f93c27770efcbf5a30897680e09f46.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe33⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe34⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe35⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe36⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe40⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe41⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe43⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe47⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe48⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe51⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe52⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe54⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe55⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe57⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe58⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe60⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe61⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe62⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe63⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe64⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe66⤵PID:1532
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe71⤵PID:2724
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe72⤵PID:2856
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe74⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe75⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe77⤵PID:792
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe78⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe79⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe81⤵PID:884
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe82⤵PID:824
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe83⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe84⤵PID:1996
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe86⤵PID:868
-
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe87⤵PID:2172
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe90⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe91⤵PID:1564
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe92⤵PID:1968
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe93⤵PID:1672
-
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe94⤵PID:2908
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe95⤵PID:2436
-
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe96⤵PID:1028
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe97⤵PID:604
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe98⤵PID:1464
-
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe99⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe100⤵PID:2504
-
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe101⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe102⤵PID:2620
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe103⤵PID:2028
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe104⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe106⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe107⤵PID:444
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe108⤵PID:1748
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1236 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe110⤵PID:2328
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe111⤵PID:1932
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe112⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe113⤵PID:3036
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe114⤵PID:2516
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe115⤵PID:1988
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe117⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe120⤵PID:1696
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe121⤵PID:308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-